Data management platforms play an increasingly important role in helping digital marketers find high-value audiences, largely based on third-party data collection without much transparency. But with the General Data Protection Regulation being enforced in May, DMPs may face a tough battle to obtain third-party data.

DMPs mainly process third-party data through cookies for lookalike targeting, and under the existing laws, consent isn’t necessarily required to use cookies. But the GDPR will change that, as it demands that personal data — including data collected through cookies — can only be used with explicit consent from individuals. That means DMPs will face more legal obligations under the GDPR, and since the GDPR will make it harder for companies to obtain third-party data, DMPs may have to rely more on first-party and second-party data than third-party data, according to ad tech executives and legal counsels.

“There is much more legal work ahead for DMPs, especially between them and their data providers,” said Maciej Zawadzinski, CEO of Poland-headquartered ad tech firm Clearcode. “Third-party data will become less accessible because of GDPR, which is likely to cause DMPs to focus more on first-party and second-party data. But it doesn’t mean that third-party data will become irrelevant, or DMPs will stop relying on it.”

Becky Burr, chief privacy officer for Neustar, believes that GDPR will have a significant impact on DMPs and ad tech companies in general. This is because ad tech companies are known to process data based on inferred consent through opt-out mechanisms, but GDPR makes reliance on individuals’ consent as the lawful basis for processing data, according to Burr. “In addition, enhanced data subject rights in the form of access, correction, erasure, and portability will require more robust consumer-facing portals and may create additional processing overhead [for DMPs] in some situations,” said Burr.

Douglas McPherson, chief legal officer for OpenX, thinks that whether — and how — the GDPR will affect DMP operations boils down to how a company defines its role under the regulation: Is it a “data controller” that “determines the purposes and means of the processing of personal data?” Is it a “data processor” that “processes personal data on behalf of the controller?” Or is it a “data subprocessor” that a data processor engages to conduct further processing in addition to what the data processor is doing? The role determines how and why a company collects personal data, said McPherson. For instance, the data processor can’t engage the subprocessor without informing the data controller.

McPherson believes that while DMPs typically act like data processors, they will also be viewed under the GDPR as data controllers in some cases, like when they collect data from credit card companies, look for users’ purchase patterns, create user profiles and then create data products to sell, for instance. And as data controllers, DMPs will have lots of legal responsibilities under the GDPR, like maintaining records of data-processing activities, as well as implementing an internal policy on handling data and data security.

“Some of those things are required by GDPR’s predecessor as well, but few companies took the regulation seriously because there were no significant financial penalties,” said McPherson. “But GDPR will change that. If there’s a data breach, for example, data controllers will get a fine of €20 million [$24 million] or 4 percent of their global revenue.”

In addition to the role of DMPs under the GDPR, the definition of user consent also determines the regulation’s impact on DMPs. “For now, it’s unclear what type of consent is adequate for GDPR purposes — we are told that there will be further guidance on consent over the upcoming months,” said McPherson. “If GDPR requires more robust consent than the existing laws, DMPs may need to ask brands and publishers they work with to obtain explicit consent from individuals, or DMPs can look for first-party data or other data sources.”

While Burr thinks that changes in the treatment of consent under the GDPR are “an important derogation” for DMPs that usually aggregate and analyze pseudonymised website data and log data on publisher, retailer, and advertiser websites. “Because IP address may be personal data under EU data protection law, Neustar stores them for 10 days or less, keeping only truncated or hashed IP addresses for our products and services,” said Burr.

Tiffany Morris, general counsel and vp of global privacy for Lotame that has a DMP business, also believes consent can work smoothly in a first-party relationship, but it is hard to track consent in a third-party relationship, where data may flow into different parties’ hands. “We are talking to our data providers to understand how they interpret GDPR, how they obtain consent and if they follow the IAB consent mechanism,” said Morris.

DMPs like Neustar and Lotame already started adding GDPR-specific language to vendor contracts with their data providers. But Morris thinks the real challenge for DMPs is how they interact with data providers technically. “In many cases, the DMP is acting solely as the processor who is processing first-party data at the direction of the controller or the client. In some instances, however, a DMP may act as a data controller,” said Morris. “GDPR makes it clear that both the data controller and the data processor are responsible for personal data. But we don’t have technical means to validate how [our data providers] obtain consent.”

Despite these challenges, ad tech executives and legal counsels interviewed for this story believe the GDPR creates opportunities for quality data and better data management. They also think the regulation will lead to consolidation in the ad tech space, as media buyers feel pressure to cut vendors that are not GDPR-compliant.

“There’s lots of negativity about GDPR in press, but it’s a positive thing to me,” said Nick McCarthy, svp of data solutions for agency Merkle’s operations in Europe, the Middle East and Africa. “There’s lots of work to do, but it pushes people to be responsible.”